MS bugged, CA vulnerable

Microsoft's Outlook and Internet Explorer have been hit by security holes. The company said it was investigating a report by security firm eEye of a new set of potentially serious flaws in the e-mail application and Web browser.

The two holes could let an attacker take control over a system with minimal action from the user, eEye said in two security alerts posted on its advisories page. The company ranks the flaws as 'high' risk.

One of the vulnerabilities could let an attacker compromise a user's machine after the user clicks on a Web link. The flaws exist in the default installations of the applications on most current versions of Windows, according to eEye. The company has informed Microsoft and will not provide further details until Microsoft has provided a patch or security alert, it said on its Website.

In another report, eEye outlines multiple vulnerabilities in the Computer Associates Licence Management software that is installed by default with almost all of CA's products. The licencing software allows remote management and tracking of software licences.

eEye has discovered multiple stack-based vulnerabilities within the licencing component that processes incoming network requests. The licencing protocol is text-based, and all of the vulnerabilities arise from incorrect handling of the incoming text strings. Successful exploitation of these vulnerabilities will allow a remote attacker to reliably execute code within the SYSTEM context.